Threat Hunting IQY files with YARA

Posted on 2018-08-23 by Adam Swanda

The goal of threat hunting is to proactively identify potential threats that have evaded existing security measures. Over the past several months the use of malicious Excel IQY files to deliver malware has fallen into this category for many organizations and users as a blind spot. Threat actors, both cybercrime and APT, have launched phishing campaigns using this technique to evade common detection methodologies and have left computer network defenders wondering how to catch future occurrences of this technique. Although many of the notable phishing campaigns have similar indicators that one might hunt for, limiting yourself to these will leave your scope narrowed to a limited set of known threats, and when hunting you are looking to identify otherwise unknown threats. In this post, we will review how to leverage YARA signatures in a multi-staged hunting approach to identify indicators of potential malicious activity in these file types. We will cover the IQY file format in both its legitimate and malicious uses, as well as identify common indicators of malicious activity seen in the wild, and how we can broaden those indicators to increase the scope of our threat hunting.

The malicious IQY campaigns seemingly came out of nowhere and caught many by surprise. Many traditional detection measures were unable to detect the attacks, let alone prevent them. Unlike malicious Office macros which security practitioners and end-users know can pose a real security risk, IQY files seem to have slipped past both security professionals and general users alike.

Even though IQY files have been around for many years, using them as a method of malware delivery was seemingly either largely unknown or forgotten about - outside of small circles. For example, after speaking with some friends on the Red Team side of the aisle; using IQY files in this malicious manner has been quietly used for years now and often to great success. A perfect example is this blog post from 2015 from Lab of a Penetration Tester details how one might leverage an IQY file during a red team engagement.

As more common delivery vectors like malicious Office macros are becoming easily detected and well-known among users, IQY files are an inviting change for threat actors. With known cases bridging both cybercrime and cyber espionage, it is likely this vector will continue to be used into the foreseeable future.

To help in the fight against this threat vector, we have created a series of YARA signatures that act as layers of a multi-stage hunting approach. In threat hunting, we do not want too narrow of a focus or we will miss true positives, but on the other hand going too broad will have analysts investigating a large number of false positives. By using our layered approach to hunting IQY files, we first start with a very broad scope to identify all IQY files regardless of their legitimacy. Then narrow those hits down to suspicious activity likely to be only seen outside of legitimate files. Next, we look even further for specific attributes in IQY files that have a high confidence of maliciousness and are worthy of a more focused investigation.

Overview: IQY File Format

Before creating these signatures to identify the files, it helps to have a solid understanding of the file format itself and how threat actors can misuse its capabilities.

IQY files are a plaintext file format that Excel supports as a built-in feature for users to execute a "Dynamic Web Query" and import data returned from the web request into the opened Excel spreadsheet.

In its most basic form, an IQY file will contain:

WEB alone on the first line to indicate that the file is an Excel Web Query

1 alone on the second line to signify the type of web request that will be made

URL alone on the third line that will be requested when the file is executed

There are some caveats to the basic format notes above. The WEB word is not case-sensitive and may contain spaces (not tabs) before or after the word. Also, the second line of 1 is not always needed, and in this case the URL will become the second line. These appear to be edge cases that have yet to been seen in the wild through our research, but nonetheless they were kindly pointed out by @MrUn1k0d3r on Twitter the other night. It is unknown how common these techniques are being used in phishing campaigns or other delivery vectors.

The vast majority of both the legitimate and malicious files we've seen in the wild follow the original format above, with "WEB" on the first line by itself acting as a sort of file magic. Identifying the file layout is the first step to creating a set of signatures that we can use for hunting. From this simple explanation we know how all IQY files begin and that they must include a URL.

This information is very useful and will go towards creating the YARA signatures for our hunting ruleset.

Legitimate IQY files are often easily visually recognizable by their content and the use of additional Excel Web Query components, as opposed to malicious files which are much simpler in their creation. Often the other components in legitimate files are specific field names and values that are used to make more advanced web requests, such as querying a URL that accepts parameters and prompting the user for their input. In the legitimate example below, everything after SYMBOL= is used to prompt the Excel user for input with a text input box titled "QUOTE" and the message of "Enter stock, fund or other MSN MoneyCentral Investor symbols separated by commas." The input into this text box is used as the value for the SYMBOL= parameter in the actual web request.

Another example of a legitimate file we discovered is below and leverages several more Web Query components towards the end of the file. The URL in this example has been slightly redacted for privacy purposes.

Malicious IQY files, more often than not, do not leverage these additional fields or prompt the user with value into for the web requests being made. We can likely safely ignore these fields when creating our signatures.

Now let's take a look at some known malicious IQY file contents to identify any disparities between them and their legitimate counterparts. Below are two examples randomly pulled from our malware corpus we'll be using in this post.

The first thing that jumps out is the lack of the other Web Query parameters, text input box prompts, or any additional Web Query fields towards the end of the file.

Also, on the line immediately following the URL, it's easy to see the additional alphanumeric characters which we believe is an attempt to either bloat the file size or is some weak attempt at obfuscation and/or detection evasion. These additional characters do not seem to affect the execution of the file or the web requests, and ultimately our signatures will detect these IQY files with or without the extraneous data.

Although, do not discount all of the extra data in an IQY following the URL. We have very recently seen a proof of concept IQY file that included an encoded DLL at the end of the file. Once executed the IQY file would fetch a script to parse, decode and then execute the embedded payload. This obviously avoids the usual secondary step of downloading a remote malware payload. While this was only a proof of concept, we believe it won’t be long before malicious actors discover and begin to use this same method.

Back to the malicious IQY files above. The URL format above, including the usage of the .dat file extension, has been common among publicly discussed campaigns. But we do not want to identify malicious files that have only followed publicly known indicators, like the usage of .dat extensions. Our hunt goal is to identify a broader scope of malicious files that slip past publicly known indicators and therefore potentially any antivirus software using those indicators in their signatures.

Here are some additional attributes we consider when creating our signatures.

Malicious IQY Execution Flow

Before Excel can run a malicious IQY file it first has to actually get onto the potential victims’ computer. Historically the delivery of the files has been achieved through general phishing emails and targeted spear-phishing campaigns.

The malicious IQY files will be attached to the phishing email, often inside a Zip archive. Once the target user downloads the attachment and double clicks the .iqy file, Excel will launch itself to load the file as it's the default Windows application for this file type.

Another aspect making this attack particularly dangerous is that the Dynamic Web Query action inside the IQY file can be automatically executed without requiring any user interaction. Though depending on the security settings of the target Windows system, a security warning like this may be presented to the user:

Excel Security Notice

When a malicious IQY file is executed, it will attempt to make a web request to the URL embedded in the file. The content received from the URL is Excel cell content that gets executed through DDE.

In the case of the Flawwed Ammy campaign, the IQY file was delivered through phishing emails. Once opened, the IQY file retrieved remote Excel cell content from the embedded URL. The downloaded cell content contained a single PowerShell string seen below:

Before this command can be executed, the user is presented with a prompt to start cmd.exe with a message of "Remote data not accessible.". If the user clicks through this prompt, the PowerShell script is executed and in turn downloads and executes yet another PowerShell script which then retrieves and runs the Flawwed Ammy payload.

Across documented campaigns, we have seen this same delivery workflow. A phishing email containing an attachment with a malicious IQY file inside is received. Once the user opens the attached IQY file in Excel and continues through the message prompts, a malware payload is eventually executed.

Executing malicious content isn't limited to only calling on PowerShell code within an Excel cell. Essentially any Windows executable that can be used to make web requests, save the received content, and execute it can be used as the secondary pivot. We have seen examples in the wild that make use of certutil.exe, bitsadmin.exe, cmd.exe, powershell.exe, and several more.

The GitHub repository LOLBAS, which stands for Living Off The Land Binaries and Scripts, has a detailed collection of built-in Windows executables that could potentially be used to download and execute malware through an IQY file and DDE. An example of a simple YARA signature to detect Excel cell content using DDE and these binaries could be something as simple as looking for =cmd| at file offset 0, the existence of any of the LOLBAS file names followed by a URL, and a small file size.

An example of this method being used with the bitsadmin.exe executable can be seen below.

If investigating a suspected compromise from a malicious IQY file, some endpoint indicators to search for would be the existence of an IQY file on disk, cmd.exe or other suspicious processes as a child process of Excel, one or more PowerShell processes as children of the child process, or the Excel and its child processes making outbound HTTP requests.

Stage 1 Signature

By inspecting the above files and the file format itself, we now know the typical layout of the first three lines of any arbitrary IQY file, legitimate or otherwise.

As mentioned before, we are creating a multi-staged hunting approach. This brings us to our first YARA signature in the hunting ruleset: identify all Excel IQY files.

Using our Stage 1 YARA signature below, we can look for the WEB string alone on the first text file line with an arbitrary number of spaces before and after the word, and as a case-insensitive string. Then we’ll look for any URL on a single line.

When deployed alone, this signature triggering might seem like overkill and often doesn't warrant investigation. But depending on your environment and how often IQY files are seen, especially within email attachments, this alone could prove valuable. When paired with the following signatures in this post, it also provides an at-a-glance way to determine and differentiate legitimate from suspicious files.

Stage 1 Signature

The YARA signature is created using two basic regex patterns to meet the conditions explained above. The meta section of the signature also includes a "Severity" field in case investigators wish to use these fields for additional information about a signature when it's triggered. In this case, Severity is assigned as 0 since this is basically an informational alert rather than being directly actionable.

rule IQY_File
{
meta:
Author = "InQuest Labs"
Website = "https://www.inquest.net"
Description = "Detects all Excel IQY files by identifying the WEB 'magic' on the first line and also includes any URL."
Severity = "0"
strings:
/* match WEB on the first line of a file
takes into account potential whitespace before or after case-insensitive "WEB" string
*/
$web = /^[ \t]*WEB[ \t]*(\x0A|\x0D\x0A)/ nocase
/* match any http or https URL within the file */
$url = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/
condition:
$web at 0 and $url
}

This casts a very wide net to catch all Excel IQY files and is primarily used to alert analysts that an IQY file has been identified in their environment. When later coupled with the Stage 2 and Stage 3 signatures, it will be much easier to separate the known good from the known bad, and to know where you should further focus your hunting and investigation efforts.

While a single Stage 1 hit alone should be a legitimate IQY file, if inspection reveals potential malicious or suspicious activity that slipped past the other signatures then that information can be used to tune the signatures further to match broader cases not covered by these initial signatures.

Hunting for Malicious IQY Files

Now that we've covered how to identify any arbitrary Excel IQY file, let's take a look at how to identify generally suspicious as well as potentially malicious IQY files.

By approaching this threat hunt as an onion, where each YARA signature reveals another layer to a potential threat, it's possible not only identify potentially suspicious files but also determine what threat level might be associated with them based on which signature they trigger. Bundling these signatures with alerting of increasing severity is a great way for SOC analysts and other responders to quickly assess and triage the situation.

Remember, the goal is to keep this scope as broad as possible at first and then layering signatures to reduce the scope to isolate and identify the malicious content.

Combinations of multiple rules triggering is also a strong indication of suspicious activity. If the Stage 2 and 3 signatures all trigger on the same file, this is certainly something to investigate quickly.

Stage 2 Signature:

The next signature is given a severity of 5 since triggering almost certainly indicates suspicious activity that should be investigated.

The YARA signature looks for the same base content as our first signature, but also looks for commonly suspicious URLs such as file download providers, URL shorteners, and direct IP address URLs.

The final signature in our hunting ruleset is similar to the Stage 2 signature but with one significant difference. Instead of looking for specific suspicious domains, the rule looks for the use of URLs that make use of suspicious file extensions commonly used as downloader pivots in malware during the delivery stage. For example, an Office macro might download a .vbs or .ps1 file from a remote host which in turn prepares the infected system and ultimately downloads the final malware executable payload. This signature attempts to identify those pivots and give responders a chance to catch them before they can be downloaded and executed.

rule IQY_File_With_Pivot_Extension_URL
{
meta:
Author = "InQuest Labs"
Reference = "https://www.inquest.net"
Description = "Detect Excel IQY files with URLs that contain commonly used malicious file extensions that may act as a pivot to a secondary stage."
Severity = "9"
strings:
/*
match WEB on the first line of a file
takes into account potential whitespace before or after case-insensitive "WEB" string
*/
$web = /^[ \t]*WEB[ \t]*(\x0A|\x0D\x0A)/ nocase
/*
generic URL to direct download a file containing a potentially malicious extension.
File extensions were decided based upon common extensions seen in the wild
The extension list can be expanded upon as new information comes available from matches
on the Stage 1 or Stage 2 signatures
*/
$url = /https?:\/\/[\w\.\/]+\.(scr|exe|hta|vbs|ps1|bat|dat|rar|zip|ace)/ nocase
condition:
$web at 0 and $url
}

InQuest Labs has had great success using these signatures as well as this multi-tiered approach to hunting. In the Active Hunt Results section at the end of this post, we've included some hashes of the signature hits and provided examples of the file contents for each to demonstrate what they look like in the wild.

Conclusion

By using a layered approach to creating YARA hunt signatures; starting off with a wide scope & low severity rule and raising the severity while narrowing the scope to indicators of potentially suspicious activity, it is possible to identify a much larger sample set than if a single rule was created to match artifacts from a specific campaign. Remember, threat hunting is about catching the unknown bad that has slipped past other defenses.

If any of the higher severity signatures trigger on an asset, it's recommended to investigate immediately and determine if the system successfully connected to the URL embedded in the IQY file.

InQuest recommends the following investigational questions and actions if an asset did download and/or execute a suspected malicious IQY file:

Did the asset communicate with the embedded IQY URL?

Was there outbound HTTP traffic from Excel after an IQY file was downloaded and/or opened?

Was data sent back to the asset from the URL?

Was cmd.exe launched shortly after an outbound HTTP request from Excel?

Are there new processes with Excel as its parent process not normally associated with the application?

Are new PowerShell processes running on the asset?

If so, has there been outbound HTTP traffic from these processes?

Are there new files in common malware drop directories such as %APPDATA%, %TEMP%, or other common malware drop locations?

Has any unusual inbound or outbound network communication been sent to/from the affected asset after the initial execution of Excel?

All YARA signatures mentioned in this blog are available in our yara-rules GitHub repo. for public use. We also added these rules to VirusTotal Intelligence Hunting for a period of time to collect samples demonstrating each stage. Below are just a handful of file hashes and their contents for each of our staged rule hits.

As this rule will match any IQY file using an IP address within the URL, we may find matches like this that are suspicious but do not use the pivot extensions of the Stage 3 rule. There may be some overlap of this rule and the next rule if a URL uses an IP address and a suspicious extension. This is all the more reason to focus on that file if it appears in your hunt as it will have triggered two separate hunt signatures.

WEB
1
hxxp://169.239.129[.]17/404

Stage 3 Hits

4f31a82cb94981a8ef941201a5ab6c53e48685e1a5669132cdc22ed135443495

711790d56020270aad629ade25b90dd483ec945950cad37dad391579be05b05

bbfc34e4f0aae5b1899ec92c77fcd46941dc2caa41c9e57f35271dd77ef410cf

f3bb2935a97c9513a8b92116c353c8f98abfc37d96cb600367bc07c824cecbb1

944039b597a4c2e43f144354831f4c6b6aa1e66df6b0bc60c9fa6c2f093a4a62

3366e30dd0d9a6c1f33f53b315aeb4a855b4ea9d72e4652f97bc1e58f13b2e3c

3cb3a220c3bc2aedc8e96848d2b54ebcb0245175fcec88018325a1e31d4b678d

b84d881ba76ecb4e077aab1a15b962c9e475b9a4c89c656ddbb4c8a058f5d7f

e952df8fc43f4c04323bc35c9a46f88811e93e709c1aae159286b0eeb260a3ce

d340ea4ff12a8ebb0d863e647e56ff357f13adc0bce44799b3acd3c434de25c9

3f8be5f94ae9bc207edcc6d569121dab0935b0d26aad7fa75b36692535a5ee22

6dd1f7db6fce9381f664180a30d0d4ebee91a4c0a83969cd4f85090ab70cefc9

e34499050025ef015a666a8aaa3be980c07620557d76596e67ebde3a96c3841d

e0f859859f010e595bc12cd6adee92c5bce34b6642a0aa37ca3699e736786a38

1e0ac4901ff78af6d76b34e5ca209b95f044b35d426ab81ac7c24c7c9c2509f5

ed9ada4fa0f323fde07ee3e9afacf9f8bd8b9b07771fe8f328ad96c33c0381a1

55f49cae3f11edd992770121d1b46d4d46c8f8298d013fb5af10bbfa0f1a2789

ca0da220f7691059b3174b2de14bd41ddb96bf3f02a2824b2b8c103215c7403c

28d391bf7aa72d59a387bfaba099d9e176ee976959a4f99b8d04dbeef75e76b5

With these matches we should begin to see files that are immediately recognizable as suspicious and look very similar to the IQY files distributed in the phishing campaigns mentioned above.

The first example found appears to be a simple test file, but this was caught due to the inclusion of the .ps1 file extension pivot in the Stage 3 rule.

WEB
1
hxxp://malware[.]com/download.ps1

For a more obviously suspicious and widely known example, here we have a case of a malicious IQY file using the typical .dat file extension.